It is known that certain encrypted electronic entities, in particular microcircuit cards, are vulnerable to attacks based on the analysis of certain parameters during an operational phase. It is said that information can “leak” from a calculation made in the card, typically the execution of a cryptographic protocol initiated by the defrauder in possession of the card. The parameters analysed during the execution of such a protocol can be, typically, differences in computing time or electromagnetic radiations during the execution of the computation but, above all, the current consumption by the electronic entity for which an attempt is being made to break the code.
Thus, the conventional attack consists in causing the electronic entity which has fallen into the hands of the defrauder to execute a certain number of cryptographic protocols based on random messages, and therefore destined for failure, but having the consequence of having executed each time by the entity (the microcircuit card) a chain of operations known by the abbreviation DES (Data Encryption Standard) whilst analysing the current consumption during each execution of the said DES. The purpose of this attack is to discover the secret code of the said entity. As regards the DES, this is a well known algorithm, very widely used at present in the field of bank cards or that of access control cards.
By way of example, in the framework of a normal authentication between an entity A, for example a server, and an entity B, for example a microcircuit card in which the DES is programmed, the exchanges of information between the two entities are as follows:
the server A requests the card B to send a message, A and B being assumed to be in possession of the same key.
B sends any message and retains it in memory.
A applies the DES to the message using its key and returns the result to the card B.
At the same time, the card B applies the DES to the message which it has sent to the server A by making use of its own key. It obtains a result which is compared with that generated by the server A. If the two results are identical, the authentication is validated.
Furthermore, in the case of a fraud, that is to say in the case where the defrauder has the card and is seeking to determine the key, the defrauder can connect the card to a reader with which he will be able to transmit messages to it and connect it to means of recording the current consumption during the execution of the operations which it carries out.
On the basis of these simple means, the defrauder forms a system F which he connects to the card in place of the server A.
The process is then as follows. F requests a message from the card exactly as in the case of initialising an authentication. B sends this message. F sends another message to B presumed to be the result of treatment by the DES of the message sent by B. This message is of course incorrect. However, B makes use of its own key to execute a DES in order to obtain a result for the purpose of comparing it with the (incorrect) message sent by F. The result of this comparison is inevitably negative but the defrauder has succeeded in initiating the execution of a DES by B. During the execution of the said DES, the current consumption is detected and stored.
If F is capable of having a certain number of DES carried out by the card B, under the same conditions, and of storing the current consumption each time, it is possible to implement an attack whose principle is known. This attack, called “DPA” (Differential Power Analysis) makes it possible to reconstitute the secret key of the entity B.
The document WO 99/63696 aims at countering attacks of this type by reducing the exploitable information capable of “leaking” during the execution of algorithms. In order to do this it suggests, in particular, introducing hazards in the cryptographic protocols in order to increase the number of cycles necessary in order to discover the secret key.